fix(ci): add changelog entry and improve workflow skip logic

.github/workflows/claude-code-review.yml

@@ -17,18 +17,26 @@ jobs:
       id-token: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
+      - name: Check if review workflow was modified
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh -R ${{ github.repository }} pr diff ${{ github.event.pull_request.number }} --name-only | grep -q '^\.github/workflows/claude-code-review\.yml$'; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "::notice::Skipping Claude review — workflow file was modified (OAuth validation will fail)"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
 
-      - name: Minimize previous Claude review comments
+      - name: Minimize previous review comments
+        if: steps.check.outputs.skip != 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh pr view ${{ github.event.pull_request.number }} \
+          gh -R ${{ github.repository }} pr view ${{ github.event.pull_request.number }} \
             --json comments \
-            --jq '.comments[] | select(.author.login == "claude") | .id' \
+            --jq '.comments[] | select(.author.login == "claude" or .author.login == "github-actions") | .id' \
           | while read -r node_id; do
             gh api graphql -f query='
               mutation {
@@ -38,7 +46,28 @@ jobs:
               }'
           done
 
+      - name: Post skip comment
+        if: steps.check.outputs.skip == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh -R ${{ github.repository }} pr comment ${{ github.event.pull_request.number }} \
+            --body "## Code review
+
+          ⏭️ **Skipped** — This PR modifies \`claude-code-review.yml\`.
+
+          The Claude Code Action OAuth flow validates that the workflow file matches the default branch exactly. PRs that modify this file will always fail the OAuth validation until merged.
+
+          Manual review or alternative review tools should be used for this change."
+
+      - name: Checkout repository
+        if: steps.check.outputs.skip != 'true'
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
       - name: Run Claude Code Review
+        if: steps.check.outputs.skip != 'true'
         uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

CHANGELOG.md

@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `require_tool()` guard in `checks.py` for `go`, `gh` — gives clear errors when tools are missing locally
 - Add Claude Code automatic PR review and `@claude` mention workflows
 - Add Copilot review instructions (`.github/copilot-instructions.md`) with project coding standards
+- Add early skip check to Claude Code review workflow when `claude-code-review.yml` is modified to avoid OAuth validation failures ([`999d988`])
 
 ### Tests
 
@@ -544,6 +545,7 @@ Initial release.
 [`a62908f`]: https://github.com/sensiblebit/certkit/commit/a62908f
 [`55b5c1e`]: https://github.com/sensiblebit/certkit/commit/55b5c1e
 [`8cf81d9`]: https://github.com/sensiblebit/certkit/commit/8cf81d9
+[`999d988`]: https://github.com/sensiblebit/certkit/commit/999d988
 [#24]: https://github.com/sensiblebit/certkit/pull/24
 [#25]: https://github.com/sensiblebit/certkit/pull/25
 [#26]: https://github.com/sensiblebit/certkit/pull/26